Programmatically verify certificate (for renewal) against chain and arbitrary timestamp using openssl in bash
We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:
is_cert_valid ()
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?
However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.
How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.
bash openssl pki
asked Nov 14 '18 at 0:43
FacundoFacundo
11
add a comment |
We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:
is_cert_valid ()
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?
However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.
How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.
bash openssl pki
asked Nov 14 '18 at 0:43
FacundoFacundo
11
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42
add a comment |
We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:
is_cert_valid ()
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?
However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.
How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.
bash openssl pki
asked Nov 14 '18 at 0:43
FacundoFacundo
11
We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:
is_cert_valid ()
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?
However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.
How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.
bash openssl pki
bash openssl pki
asked Nov 14 '18 at 0:43
FacundoFacundo
11
asked Nov 14 '18 at 0:43
FacundoFacundo
11
asked Nov 14 '18 at 0:43
FacundoFacundo
11
asked Nov 14 '18 at 0:43
FacundoFacundo
11
asked Nov 14 '18 at 0:43
FacundoFacundo
11
11
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42
add a comment |
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42
add a comment |
1 Answer
1
active
oldest
votes
This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.
is_cert_valid ()
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1
answered Nov 23 '18 at 20:13
FacundoFacundo
11
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291565%2fprogrammatically-verify-certificate-for-renewal-against-chain-and-arbitrary-ti%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.
is_cert_valid ()
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1
answered Nov 23 '18 at 20:13
FacundoFacundo
11
add a comment |
This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.
is_cert_valid ()
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1
answered Nov 23 '18 at 20:13
FacundoFacundo
11
add a comment |
This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.
is_cert_valid ()
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1
answered Nov 23 '18 at 20:13
FacundoFacundo
11
This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.
is_cert_valid ()
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1
answered Nov 23 '18 at 20:13
FacundoFacundo
11
answered Nov 23 '18 at 20:13
FacundoFacundo
11
answered Nov 23 '18 at 20:13
FacundoFacundo
11
answered Nov 23 '18 at 20:13
FacundoFacundo
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291565%2fprogrammatically-verify-certificate-for-renewal-against-chain-and-arbitrary-ti%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)
– dave_thompson_085
Nov 14 '18 at 3:42